How related is ISO 27001 with the Law on Protection of Personal No. 6698 (DPL)?
TS EN ISO/IEC 27001 standard is a general frame for information security. According to the DPL, personal data are critical assets that all institutions need to protect properly. There are some requirements of DPL that are not directly in the scope of ISO 27001, such as supporting the data subject's access to information: the right of correction, right to be forgotten and data portability. However, personal data is usually categorized as an information security asset. Thus, fulfilling the reguirements of the ISO 27001 standard, most of the requirements of the DPL will be addressed.
In addition to the accepted technical controls, formal documentation, proper monitoring and continuous improvement, the implementation of the ISO 27001 standard creates organizational culture and increases awareness about information security incidents. Information security is not just about technology, it is also about people and processes..
The ISO 27001 standard is an excellent framework for compliance with the DPL. The first thing a business needs to do is to perform a DPL GAP Analysis to identify the needs to get compliant with DPL and these conditions can be easily added through the Information Security Management System established via ISO 27001.
ISO 27001 provides ways to ensure personal data protection. There are many points where the standard can help companies comply with this DPL. Please find below a number of the most relevant improvements:
Risk Assessment - Due to the high amount of administrative fines stated im DPL, it is important to the risks during the risk assessment regarding personal data. Another requirement of compliance with DPL is the implementation of Data Privacy Impact Assessments where companies will have to analyze their own privacy exactly as envisaged by ISO 27001.
Compliance - Due to the control A.18.1.1 of ISO 27001 (Identifying applicable laws and contractual requirements), it is imperative to maintain a list of relevant legal, statutory, regulatory and contractual requirements while applying the ISO 27001 standard. If the organization is required to comply with DPL, this regulation must be to included in this list. In any case, ISO 27001's control A.18.1.4 (Confidentiality and protection of personally identifiable information) guides organizations through the implementation of a data processing policy and the protection of personally identifiable information.
Violation notification - Companies are obliged to notify Data Protection Authority about breach of personal data. Implementation of ISO 27001 control A.16.1 (Management of information security incidents and remediation) will provide “a consistent and effective approach to the management of information security incidents, including communication of security incidents”. Reporting of personal data events will bring an improvement to the organization that wishes to comply with the DPL.
Asset Management - ISO 27001 control article A.8 (Asset Management) requires personal data to be reated as an information security asset. Thus, it requires to idenfity which personal data is processed, where it is stored and what is the retention period for the data which are also the requirements of DPL.
Supplier Relations - ISO 27001 control A.15.1 (Information security in supplier relations) requires “protection of the assets accessible by suppliers of the organization”. According to DPL, the organization will require suppliers to comply with the requirements of the regulation through formal agreements in order to process and store personal data.
Applying the ISO 27001 standard alone is not sufficient for DPL compliance. However, almost every company will have to comply with this regulation. Since ISO 27001 is an international standard, facilitating compliance with the standard is one of the best steps for getting compliance with DPL.